dmz | ️ DMZ : Dotfiles , viM and Zshrc config | Command Line Interface library

Im trying to get the clustername, datastore cluster, port groups, and some other facts from vcenter using ansible. I've read the docs here but the data Im getting in return is almost too much and needs to be filtered. Here's an example of the clustername playbook. It works, but Im looking to get just the name of the cluster. Im outputting it to a yaml file so I can import it into a pipeline later. Here's the code.

I have a docker image, which uses Linux, R and plumber and works fine when pushed to an ACR and deployed to an ACI. The problem is, that the resulting endpoint is accessible via the Internet. It should only be accessible within our DMZ (?) virtual network (?) - apologies about my clumsy/potentially wrong use of terms. So IT created a private endpoint, which makes sense to me, but according to this:

https://docs.microsoft.com/en-us/answers/questions/193123/azure-aci-with-private-acr-and-selected-public-net.html

See also previous related post:

error whilst trying to deploy container image after introduction of private endpoint

This is currently not supported for ACI? How else can the ACI endpoint be secured in my scenario please? Thanks!

I was trying to test the scenario of handling external changes to existing resources and then syncing my HCL config to the current state in the next apply. I could achieve that using 'taint' for the modified resource, but TF deleted other resources which were deployed during the first 'apply'. Here is the module code for a VNet with 3 subnets(prod,dmz and app) and 3 NSGs associated. And I tested with modifying one of the NSGs but TF deleted all of the subnets-

VNET-

Considering the following data structure, I'm looking to use jq to return each document based on the following criteria:

1. Return all documents whose members array contains a key subPath
2. Return all documents whose members array does NOT contain a key subPath
3. Return all documents whose members array is empty

We currently have VM environment setup with an internal network and a DMZ network. Historically we had no open ports between these environments, but needs arose for communication between the internet and services/APIs running on our internal servers.

We decided to use our DMZ network as a proxy/gateway, where we specifically use Kong Gateway, exposing ports 80/443 to the internet, and then proxying/forwarding requests through a different port opened up between the DMZ server and the specific internal server that needs to handle this communication. A random, non-standard, high port is being used for all requests between the DMZ server and our internal network, and we then use a reverse proxy on our internal server to route specific request via hostnames to specific APIs/services on the internal server.

Now, we're in the process of converting our internal environment to a k8s cluster, and I'm interested in knowing if there'd be any "real" difference to security, if we were to forego the DMZ proxy, and exposing ports 80/443 directly from the internet to our internal k8s cluster, and handle all the security/authentication/authorization through the ingress controller on our cluster.

It would simplify our infrastructure a decent bit, to not have this DMZ proxy running.

From my understanding the purpose of the DMZ proxy was that if a breach were to happen in the chain, it would be much harder to further penetrate our internal network, if the breach was only on the DMZ server. But my networking and security knowledge is not good enough to say if this is actually true, and it just provides a false sense of extra security, in which case, we'd have the exact same level of security with exposing those same ports directly on our internal k8s cluster, while simplifying the overall infrastructure.

With a Spring Boot client configured in the DMZ and Spring Security OAuth configured using:

Is it possible to have a public facing event hub protected by a DMZ?

I know about IP whitelists but not sure how secure this is?

I'm writing to you because I can't solve a problem with a client.

My client has an infrastructure with the following characteristics:

• 2 ISP routers
• 1 fortigate firewall
• 1 dedicated router that broadcasts a UCOPIA US250 guest portal
• 65 Zyxel switches (1900 - 24) and one 4600 switch (4x 24 ports for the core network)
• 250 WIFI LIGOWAZE NFT terminals
• 80 VLANs

I do not manage the first 3 equipments, it is another provider.

Today, I have to pass the VLAN dedicated to the guests. The other provider has set up the FORTIGATE to broadcast the DHCP and the associated VLAN on the DMZ port to the OUT port of the UCOPIA. I have to broadcast VLAN 420 from the IN port to the ZYXEL switch and to the LIGOWAVE terminals.

However, when I am connected to the UCOPIA on the IN port, I manage to get the desired IP and to reach the portal, but when I test on the ZYXEL switch, it is impossible to get the dedicated VLAN. I put myself on another port of the ZYXEL, I TAG the VLAN in question. I have modified the ID of my VLAN on my computer in DHCP that does not work. I tried to use static IP but still nothing. I can't even ping the gateway. The ZYXEL port to which the UCOPIA is connected is TAGGED on the dedicated VLAN. I have also tried Untagged and excluding all the other VLANs but it is impossible to get this network.

Do you have any other ideas for me?

Here, you can see my diagram network: MyNetwork

I have a CentOS 7 server which was running happily for 600+ days until it was rebooted recently, after which incoming web requests were receiving HTTP523 (Origin Is Unreachable) error codes (via Cloudflare, if that makes a difference?) unless I stopped the firewalld service. Things run fine without firewalld, but I'd rather not leave it disabled!

I've tried stopping docker and firewalld and restarting them in various sequences, but the same 523 error occurs unless I stop firewalld.

/var/log/firewalld contains a few warnings that might help:

• WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-8acb606a3b50 -o br-8acb606a3b50 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
• WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
• WARNING: AllowZoneDrifting is enabled. This is considered a n insecure configuration option. It will be removed in a future release. Please consider disabling it now.
• WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.4.21: Couldn't load target 'DOCKER':No such file or directory
• WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
• WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?)
• WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -F DOCKER' failed: iptables: No chain/target/match by that name.

I've found seemingly conflicting advice around the place regarding any manual configuration/commands required:

1. firewall-cmd --permanent --zone=trusted --add-interface=docker0 on a CentOS forum
2. firewall-cmd --zone=trusted --remove-interface=docker0 --permanent on the offical Docker docs -- surely that's the opposite of the above?
3. a bunch of manual firewall-cmd commands on a Docker github issue -- surely all of that isn't required?
4. this one looks promising -- nmcli, NetworkManager and firewall-cmd --permanent --zone=trusted --change-interface=docker0

I don't fully understand where the br-8acb606a3b50 interface comes from, or whether I need to do anything to configure it as well as docker0 if I use a solution like 4. above? It was all working fine automatically for years until the reboot!

Are some magic firewalld incantations now required (and why?!) or is there some way I can get the system to get back into the correct auto/default configuration it was in prior to rebooting?